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Abstract 

Managing  trust  in  a  tactical  Mobile  Ad  Hoc  Network  (MANET)  is  challenging  when  collaboration  or  cooperation  is 
critical  to  achieving  military  missions  and  system  goals.  Further,  in  heterogeneous  MANETs,  evaluating  the  trust 
level  of  a  mission-driven  group  communication  system  accurately  and  identifying  well-qualified  nodes  to  perform  a 
given  mission  are  also  crucial  for  successful  mission  completion.  Some  nodes  will  be  highly  qualified  to  perform  the 
mission  while  others  will  not  be,  depending  on  the  mission.  Based  on  the  context-dependent  characteristic  of  trust, 
we  propose  a  mission-dependent  trust  management  protocol  that  dynamically  evaluates  the  trust  values  of  nodes, 
and  dynamically  recomposes  the  mission  team  so  as  to  maximize  the  mission  success  probability.  We  develop  a 
composite  trust  metric  that  considers  aspects  of  QoS  trust  derived  from  communication  networks  and  social  trust 
derived  from  social  and  cognitive  networks.  We  show  that  the  proposed  mission-dependent  trust  management 
protocol  outperforms  a  unified  trust  management  protocol  which  is  not  customized  for  performing  a  particular 
mission. 
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1.  Introduction 


Mobile  ad  hoc  networks  (MANETs)  are  defined  as  multi-hop  wireless  networks  dynamically  formed  by  mobile 
nodes  without  the  help  of  any  centralized  infrastructure  [9],  Unlike  stationary  wired  networks,  security  protocol 
designers  for  MANETs  face  technical  challenges  due  to  the  unique  characteristics  of  MANETs  such  as  resource- 
constraints  (e.g.,  bandwidth,  memory,  energy,  and,  computational  power),  openness  to  eavesdropping,  high 
security  threats  or  vulnerabilities,  inherent  unreliable  communications  of  the  wireless  medium,  and  rapid  changes 
in  topologies  or  memberships  due  to  node  mobility  or  failure  [9],  Group  communication  systems  (GCSs)  in  MANETs, 
such  as  in  military  battlefields  or  emergency  rescues,  require  teamwork  and  collaboration  to  achieve  a  mission  that 
depends  on  the  trust  relationships  among  group  members  [13]. 

The  concept  of  "trust"  originally  derives  from  the  social  sciences  and  is  defined  as  the  degree  of  subjective  belief 
about  the  behaviors  of  a  particular  entity  [7].  Blaze  et  al.  [4]  first  introduced  the  term  trust  management  and 
identified  it  as  a  separate  component  of  security  services  in  networks.  Since  its  inception,  trust  management  in 
MANETs  (TMM)  also  has  received  considerable  attention  due  to  its  crucial  necessity  and  diverse  applicability  in  the 
decision  making  process.  TMM  is  needed  when  participating  nodes,  without  previous  interactions,  desire  to 
establish  a  network  with  an  acceptable  level  of  trust  relationships  among  themselves,  for  example,  in  building 
initial  trust  bootstrapping,  or  coalition  operation  without  predefined  trust. 

A  given  mission  may  require  nodes  with  specific  properties  reflecting  aspects  of  Quality-of-Service  trust  (QoST)  and 
social  trust  (ST).  Some  nodes  will  be  highly  qualified  to  perform  the  mission  while  others  will  not  be,  depending  on 
the  mission.  Therefore,  based  on  the  context-dependent  characteristic  of  trust,  we  propose  a  mission-dependent 
trust  management  protocol  where  a  mission  team  consists  of  best  qualified  nodes  that  are  dynamically  selected 
upon  every  trust  update  with  the  goal  of  maximizing  the  mission  success  probability. 

The  contributions  of  this  work  are  as  follows.  First,  we  propose  a  mission-dependent  trust  management  (MDTM) 
suitable  for  tactical  MANETs  based  on  context-dependent  characteristics  of  trust.  Second,  our  proposed  protocol 
dynamically  evaluates  the  trust  values  of  nodes,  and  dynamically  recomposes  the  team  so  as  to  maximize  the 
probability  of  mission  success.  Third,  we  propose  a  novel  composite  trust  metric  consisting  of  QoS  trust  derived 
from  communication  networks  and  social  trust  derived  from  social  and  cognitive  networks.  Fourth,  we  develop  a 
new  reliability  metric,  called  the  mission  success  probability,  based  on  the  trust  levels  required  by  a  given  mission. 
Fifth,  we  develop  a  novel  "continuous-time"  hierarchical  modeling  technique  based  on  Stochastic  Petri  Nets  (SPN) 
to  describe  and  evaluate  the  proposed  MDTM  protocol;  this  facilitates  handling  of  dynamics  and  results  in  a 
scalable  implementation.  Finally,  we  show  that  the  proposed  MDTM  protocol  outperforms  a  unified  trust 
management  (UFTM)  protocol  which  is  not  customized  for  performing  a  particular  mission. 

The  rest  of  the  paper  is  organized  as  follows.  Background  and  related  work  are  discussed  in  Section  2.  The 
composite  trust  metric,  computation  of  the  proposed  mission-success  probability  metric,  attack  and  energy 
models,  and  underlying  assumptions  are  described  in  Section  3.  The  SPN-based  performance  model  developed  for 
analyzing  performance  characteristics  of  MDTM  is  the  focus  of  Section  4.  Analytical  results  are  provided  in  Section 
5  where  the  proposed  MDTM  is  compared  with  the  UFTM.  A  discussion  of  the  limitations  of  this  work  and 
directions  for  future  work  are  provided  in  Section  6. 

2.  Related  Work 

Due  to  the  unique  characteristics  of  MANETs  and  the  inherent  unreliability  of  wireless  communications,  trust 
management  for  MANETs  should  be  dynamic  and  account  for  uncertainty.  Trust  is  context-dependent,  and 
subjective,  and  not  necessarily  transitive  or  reciprocal.  The  context-dependent  characteristic  of  trust  is  popularly 
discussed  with  a  typical  example  that  Alice  may  trust  Bob  to  order  wine  at  dinner  but  wouldn't  trust  him  to  fix  her 
car  [lj.  Similarly  in  MANETs  depending  on  the  given  task,  different  types  of  trust  (e.g.,  trust  in  computational 
power  or  trust  in  unselfishness)  are  required.  The  reader  is  referred  to  [5]  for  a  detailed  discussion  of  properties 
and  references  on  trust.  Trust  management  systems  for  MANETs  should  consider  the  following  design  features: 
trust  metrics  must  be  customizable;  evaluation  of  trust  should  be  fully  distributed  without  reliance  on  a  centralized 
authority,  and  should  cope  with  dynamics  and  adverse  behaviors  in  a  tactical  MANET  [5], 
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Most  of  the  existing  trust  management  or  reputation  schemes  focus  on  "context-awareness"  in  formulating  the 
trust  level  of  an  entity.  Context  information  is  defined  as  any  information  that  explains  the  condition  of  an  entity  in 
terms  of  a  specific  aspect  [23].  Further,  a  context  refers  to  the  set  of  all  context  information  including  the 
characteristics  of  the  entities  that  are  appropriate  for  a  particular  task  with  their  appropriate  aspects  [23].  Adams 
et  al.  [1]  considered  context  information  to  evaluate  the  trust  level  in  determining  access  rights  to  a  decentralized 
system.  Corradi  et  al.  [8]  proposed  a  trust  model  adapting  trust  relationships  to  dynamic  context  information 
occurring  in  pervasive  computing  environments.  They  also  incorporated  dynamic  context  to  evaluate  the  trust 
level  of  an  entity.  Gray  et  al.  [12]  integrated  trust-based  admission  control  with  standard  role-based  access  control. 
Moloney  and  Weber  [16]  proposed  a  context-aware  trust-based  security  system  for  MANETs.  Tavakolifard  et  al. 
[23]  proposed  a  context-aware  trust  model  based  on  the  fact  that  behaviors  of  an  entity  are  influenced  by  the 
situation.  Uddin  et  al.  [25]  proposed  an  interaction-based  context-aware  trust  model  for  open  and  dynamic 
systems  where  services  are  regarded  as  contexts.  Our  work  differs  from  the  above  in  that  we  select  a  set  of 
qualified  nodes  to  meet  context-dependent  mission  requirements. 

Bertocco  and  Ferrari  [2]  proposed  a  reputation  system  for  a  centralized  system  where  an  agent  can  join  a  group 
with  particular  context  information  in  which  it  is  interested.  Similarly,  Billhardt  et  al.  [3]  examined  how  to  select 
appropriate  service  providers  based  on  trust  when  there  is  no  prior  experience  with  the  service  providers. 
Toivonen  et  al.  [24]  investigated  trust  levels  where  trustors  are  placed  in  diverse  situations.  They  claimed  that  trust 
can  vary  depending  on  the  situation  of  the  trustor  and  proposed  functions  to  determine  context-aware  trust.  Our 
work  differs  from  the  above  work  in  that  context  is  used  as  a  mission  requirement  to  select  best  qualified  nodes  to 
maximize  the  mission  success  probability.  Further,  we  consider  two  different  aspects  of  trust,  namely,  QoS  trust 
and  social  trust. 

Namuduri  [17]  proposed  an  active  trust  model  for  an  airborne  network  requiring  trust  assessment  before  sharing 
mission-specific  information  during  a  short  mission  execution  period  based  on  zero-knowledge  proofs.  This  work  is 
similar  to  our  work  in  that  trustable  nodes  are  selected  for  executing  a  mission  by  sharing  mission  specific- 
information.  Flowever,  Namaduri's  model  assesses  trust  based  solely  on  whether  or  not  a  node  possesses  a  secret 
key,  whereas  we  use  a  composite  trust  metric  consisting  of  QoS  trust  and  social  trust. 

The  research  area  of  resource  allocation,  e.g.,  matching  sensors  with  missions,  uses  ideas  similar  to  ours  although 
they  do  not  deal  with  trust.  Mainland  et  al.  [15]  proposed  market-oriented  methods  to  optimize  system 
performance  in  terms  of  resource  allocation.  Preece  et  al.  [19]  investigated  how  to  match  available  resources, 
particularly  sensors,  in  battlefield  situations  to  achieve  efficient  mission  completion.  Preece  et  al.  [20]  also 
investigated  sensor-mission  assignments  in  the  context  of  dynamic  coalitions  and  changing  mission  requirements. 
Rowaihy  et  al.  [21]  proposed  centralized  and  distributed  schemes  to  assign  sensors  to  dynamically  changing 
environments.  Wang  et  al.  [26]  dealt  with  context-aware  service  matchmaking  using  description  logic.  However, 
the  body  of  work  described  above  does  not  deal  with  trust. 

Recently,  we  proposed  a  trust  management  protocol  for  a  cognitive  GCS  in  MANETs;  our  trust  metric  was 
composed  from  QoS  trust  and  social  trust  [6].  However,  the  prior  work  assumes  a  static  team;  it  does  not  deal  with 
dynamic  selection  of  team  members  as  the  trust  status  of  the  network  evolves. 

3.  System  Model 

In  the  initial  network  deployment,  we  assume  that  there  is  no  predefined  trust.  Without  prior  interactions,  the 
initial  bootstrapping  will  establish  a  shallow  level  of  trust  based  only  on  limited  direct  observations,  indirect 
information  through  third  parties,  and  authentication  by  a  challenge/response  process.  Over  time,  participating 
nodes  will  establish  a  stronger  trust  level  with  more  confidence  based  on  direct  or  indirect  interactions.  Our  trust 
management  protocol  allows  each  node  to  evaluate  the  trust  levels  of  other  nodes  as  well  as  to  be  evaluated  by 
other  nodes. 

Trust  decays  over  time  without  further  updates  or  interactions  between  entities.  Node  mobility  also  may  hinder 
continuous  interactions  with  other  group  members,  lowering  the  chances  of  evaluations  of  each  other  in  the  group. 
This  includes  cases  such  as  a  node  moving  to  other  areas  causing  its  disconnection  from  the  current  group,  leaving 
a  group  for  mission  reasons,  voluntary  disconnection  for  saving  power  or  involuntary  disconnection  due  to  physical 
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terrain  or  low  energy.  On  the  other  hand,  node  mobility  could  enhance  trust  evaluation  of  distant  nodes.  We  use 
the  concept  of  a  trust  chain  of  a  node  to  indicate  derivation  of  indirect  trust  evidence  across  multiple-hops; 
however,  one  should  expect  that  the  degree  of  trust  would  decay  as  the  length  of  the  trust  chain  increases. 

Our  target  system  is  a  mission-driven  GCS  in  military  tactical  MANETs  where  a  symmetric  key,  called  the  group  key, 
is  used  as  a  secret  key  for  group  communications  between  group  members  [14].  Upon  a  node's  disconnection  from 
the  group,  the  system  generates  and  redistributes  a  new  key  so  that  non-member  nodes  will  not  be  able  to  access 
a  valid  secret  group  key.  Nevertheless,  each  group  member  keeps  old  trust  information  even  for  non-member 
nodes  so  that  the  information  can  be  reused  for  future  interactions.  This  is  useful  to  cope  with  potential  newcomer 
attackers  who  flush  their  low  trust  levels  by  frequently  rejoining  the  group.  Our  trust  metric  will  span  two  aspects 
of  the  trust  relationship.  First,  social  trust  [11]  will  be  evaluated  through  social  networks.  Social  networks  may  be 
neighboring  nodes  or  any  nodes  that  had  previous  relationships  due  to  their  common  interests.  Based  on  the 
generally  accepted  definition  of  social  networks  [11],  they  may  not  necessarily  be  the  same  as  networks  that 
perform  the  task  for  mission  execution.  Second,  quality-of-service  (QoS)  trust  evaluated  through  information 
networks  accounts  for  the  capability  to  complete  the  assigned  mission. 

The  key  question  of  this  work  is  "Can  we  trust  this  node  to  do  mission  X?"  To  effectively  answer  this  question,  we 
develop  mission-dependent  trust  management  (MDTM)  for  a  tactical  GCS  in  MANETs.  The  underlying  idea  is  that 
we  select  the  best  qualified  nodes  to  perform  a  given  mission  which  requires  certain  characteristics.  For  example, 
when  a  mission  requires  high  degree  of  the  properties  related  to  QoS  trust  (e.g.,  energy  level  or  cooperation  or 
timeliness),  we  use  criteria  with  high  priority  to  the  QoS  aspects  of  trust.  On  the  other  hand,  if  the  mission  rather 
requires  high  degree  of  social  trust  properties  (e.g.,  honesty,  proximity,  betweenness),  we  use  criteria  emphasizing 
the  social  aspects  of  trust. 

3.1  Assumptions  and  Design 

We  assume  a  pure  MANET  environment,  without  a  centralized  trusted  entity,  where  nodes  communicate  through 
multi-hops.  Members  of  a  GCS  in  MANETs  are  heterogeneous  nodes  consisting  of  typical  types  of  military  nodes 
such  as  robots  equipped  with  sensors,  dismounted  soldiers  carrying  mobile  devices,  unmanned  vehicles  with 
mobile  devices,  and  manned  vehicles  with  mobile  devices  [18].  The  heterogeneous  group  member  nodes  have 
different  capabilities  or  characteristics  in  terms  of  platform  functionalities,  moving  speed,  energy  level,  and 
intrinsic  tendencies  of  selfish  or  malicious  behaviors.  In  this  work,  we  considere  4  types  of  nodes  where  higher 
type  nodes  (e.g.,  node  type  4  represented  as  NT4)  have  higher  energy  level  and  speed  than  lower  type  nodes  (e.g., 
node  type  1  represented  as  NT1).  The  initial  energy  level  and  speed  are  assumed  to  be  uniformly  distributed  and 
mutually  independent.  Flowever,  we  do  not  link  intrinsic  tendencies  of  selfish  or  malicious  behaviors  of  nodes  with 
the  node  type.  The  intrinsic  tendencies  of  selfish  and  malicious  behaviors  are  modeled  as  exponentially  distributed 
random  variables,  representing  the  probability  that  a  node  will  behave  selfishly  or  not  and  maliciously  or  not.  We 
also  associate  the  energy  level  of  a  node  with  the  intrinsic  tendencies  of  selfish  or  malicious  behaviors  at  runtime. 
That  is,  even  if  a  node  has  intrinsically  very  bad  behavioral  characteristics,  these  behaviors  can  be  relaxed  and  the 
node  can  become  generous  when  it  is  under  less  stressful  environments  such  as  having  a  sufficient  amount  of 
energy.  Thus,  depending  on  the  given  intrinsic  tendencies,  the  degree  of  being  good  (e.g.,  cooperative  or  honest) 
or  bad  (e.g.,  selfish  or  dishonest  by  being  compromised)  at  runtime  can  also  vary. 

Even  if  the  intrinsic  tendencies  of  selfishness  and  maliciousness  may  affect  the  behaviors  of  nodes,  the 
environmental  conditions  such  as  remaining  energy  will  also  affect  the  behaviors  of  the  nodes.  A  node  is  more 
likely  to  be  selfish  when  it  has  low  energy  and  vice  versa.  Further,  a  node  is  more  likely  to  be  compromised  when  it 
has  low  energy  and  vice  versa,  since  a  node  with  high  energy  is  more  capable  of  defending  itself  against  attackers 
by  using  more  energy-consuming  defense  mechanisms. 

Each  node  periodically  beacons  heartbeats  with  its  id  and  location  information  so  that  node  failure  or 
disconnection  is  easily  detected  and  accordingly  immediate  rekeying  operation  can  be  performed  to  maintain 
secrecy  properties  (i.e.,  backward  or  forward  secrecy).  We  assume  that  there  exists  a  distributed  intrusion 
detection  subsystem  (IDS)  for  detecting  insider  attacks.  As  soon  as  a  node  is  detected  by  IDS,  we  assume  that  the 
node  is  no  longer  available  in  the  system,  meaning  that  trust  value  of  the  node  will  drop  suddenly.  We  do  not 
make  any  assumptions  about  the  IDS,  except  that  it  has  known  false  positive  and  false  negative  probabilities.  We 
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define  the  selfish  behavior  of  a  node  as  dropping  group  communication  packets  transmitted  from  other  nodes. 
Thus,  even  though  the  node  is  selfish,  it  cooperates  to  perform  rekeying  and  IDS-related  operations.  We  also 
assume  that  potential  attackers,  compromised  but  not  detected  by  IDS,  may  disseminate  bogus  packets  to  perform 
attacks  such  as  fake  information  dissemination. 

The  energy  level  of  each  node  is  adjusted  depending  on  its  status.  For  simplicity,  we  only  consider  energy 
consumption  based  on  communication  type,  receiving  or  transmitting.  For  example,  if  a  node  becomes  selfish,  the 
rate  of  energy  consumption  is  slowed  down.  If  a  node  becomes  compromised  but  not  detected  by  IDS,  the  rate  of 
energy  consumption  could  grow  since  the  node  may  have  a  chance  to  perform  attacks,  thus  consuming  more 
energy.  We  only  consider  redemption  mechanism  for  selfish  nodes.  At  the  end  of  a  reevaluation  period,  which 
corresponds  to  a  trust  update  interval,  selfish  nodes  will  decide  whether  they  will  resume  normal  behaviors  or 
continue  being  selfish  depending  on  their  own  energy  level.  In  addition,  when  a  node  is  not  a  member,  it  will  not 
consume  as  much  energy  as  when  it  is  a  member.  We  model  group  member  join  and  leave  operations  as  most 
GCSs  have.  Upon  every  membership  change  due  to  join/leave/eviction,  individual  rekeying  will  be  performed 
based  on  a  distributed  key  agreement  protocol. 

We  assume  that  a  node's  trust  value  is  assessed  based  on  direct  observations  as  well  as  indirect  observations.  For 
indirect  observations,  we  use  recommendations  obtained  from  1-hop  neighbors  with  the  k  highest  trust  values  on 
the  trust  chain.  If  k  recommenders  are  not  found,  recommendations  from  all  1-hop  neighbors  can  be  used.  The 
trust  value  is  updated  by  exchanging  status  information  periodically.  The  status  exchange  packet  includes  a  node's 
own  information  as  well  as  information  of  nodes  on  its  trust  chain. 

We  adopt  the  hexagon-shaped  operational  area  consisting  of  3 m2  + 
3 m  +  1  sub-hexagon  areas  where  m  indicates  a  ring  level  =  0,  1,  2,  etc. 
Figure  1  shows  an  example  with  m  =  2.  The  diameter  of  a  hexagonal  area 
equals  the  wireless  radio  range  (/?).  In  order  to  analytically  model  average 
behaviors  of  nodes,  we  assume  that  a  node  is  located  in  the  center  of  a 
hexagon  area.  A  node  in  area  0  (called  a  ring  level  0)  can  communicate 
with  nodes  in  area  1  (called  a  ring  level  1)  with  1-hop  distance.  In  this 
case,  we  regard  the  nodes  in  areas  1  and  0  (its  current  location)  as  1-hop 
neighbors  of  the  node  located  in  area  0.  The  n-hop  neighbors  are 
calculated  similarly.  Each  node  moves  toward  a  target  area  designated  by 
a  given  mission.  We  model  this  by  allowing  a  node  to  randomly  select 
areas  closer  to  the  target  area  with  high  probability  and  the  areas  distant 
from  the  target  area  with  lower  probability. 

Pham  et  al.  [18]  describe  typical  mission  teams  in  military  battlefield  MANETs.  Similarly,  we  also  assume  that  a 
mission  team  is  deployed  with  team  members  who  are  best  qualified  for  a  given  mission  execution  during  a  short 
period  of  time.  In  particular,  upon  every  trust  update,  a  different  set  of  members  will  be  selected  based  on  the 
characteristics  required  by  the  mission.  We  select  the  best  k  qualified  nodes  with  the  top  highest  trust  values  from 
the  nodes  in  each  node  type  with  k  <  N/Nnt,  where  N  is  the  total  number  of  members,  and  Nnt  is  the  number  of 
nodes  types.  The  criteria  to  select  nodes  for  mission  execution  will  be  either  MDTM  or  UFTM.  The  goal  of  this 
study  is  to  compare  the  proposed  MDTM  with  UFTM  in  terms  of  the  mission  success  probability. 

3.2  Composite  Trust  Metric 

We  consider  a  trust  metric  that  spans  two  aspects  of  the  trust  relationship:  QoS  trust  and  social  trust.  The  overall 
trust  value  is  calculated  based  on  the  degrees  of  energy  and  cooperation  for  QoS  trust  and  the  degrees  of  honesty, 
proximity  to  a  mission-designated  target  area,  and  betweenness  centrality  for  social  trust,  with  a  fixed  ratio  (QoS 
trust  :  social  trust).  The  values  of  each  trust  component  and  the  overall  trust  value  will  be  in  the  range  of  [0,  1], 
with  0  indicating  complete  distrust,  0.5  ignorance  and  1  complete  trust.  A  node's  trust  value  changes  dynamically 
to  account  for  trust  decay  over  time  due  to  node  mobility  or  failure,  as  the  trust  chain  becomes  longer,  as  the 
node's  energy  level  changes,  and  as  the  node  becomes  compromised  or  selfish. 

Based  on  the  trust  values  calculated  by  1-hop  neighbors,  the  trust  value  can  be  calculated  by  n-hop  neighbors.  The 
information  used  for  trust  evaluation  of  a  particular  node  j,  the  trustee,  by  a  particular  node  i,  the  trustor,  includes 


Figure  1:  Hexagonal  Network  Model. 
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probability  of  being  alive  if  remaining  energy  >  energy  threshold  (7 ^~h°v 'eneray  probability  of  being 
cooperative  (T7_ftop'cooperatIon  (t)),  probability  of  being  honest  (j>yh°P  ’honesty  (t));  relative  average  closeness 
from  node  j’s  location  to  a  target  area  (7 ^~h°P  ■Proximity  anc|  relative  average  closeness  from  node  j’s  location 

to  all  other  nodes  (T^~hop ■betweenness  (t)) ;  where  n  is  the  length  of  the  trust  chain  (TC)  of  a  node  and  t  is  time.  The 
basis  (i.e.,  direct  observation  to  derive  1-hop  local  trust  value)  for  the  computation  of  these  five  trust  component 
values  will  be  explained  in  Section  4.  We  refer  the  reader  to  our  prior  work  [6]  for  details  of  the  technical  method 
for  obtaining  them  from  a  SPN  performance  model. 

Below  we  detail  how  the  trust  value  is  calculated.  The  n-hop  trust  value  of  node  j  by  node  /,  T^hop (t),  is 
calculated  using  direct  observations  and  indirect  information  forwarded  from  recommenders  who  are  1-hop 
neighbors  of  node  i,  using  a  trust  chain  of  length  n.  If  the  length  of  the  trust  chain  is  n,  then  in  evaluating  the  trust 
value  of  node  j,  node  /  considers  recommendations  from  krecom  1-hop  neighbors  incorporating  information  passed 
from  all  nodes  on  its  trust  chain  that  are  within  n  hops  of  itself.  Note  that  a  node,  say  k,  in  this  n-hop  neighborhood 
of  node  /,  will  also  compute  its  trust  value  of  node  j,  based  on  direct  and  indirect  evidence  collected  by  nodes  in 
node  k's  n-hop  neighborhood.  Specifically,  7)"_,lop  (t)  is  defined  by: 


T'l~hop  (t)  =  P"~hop{t) 


ft 


frjin—  hop  .energy  jin— hop  .cooperation 
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Here  ft  and  (1  —  ft)  are  the  non-negative  weights  for  QoS  trust  and  social  trust  respectively.  In  Equation  1,  all  the 
7) j  terms  will  be  in  the  range  of  [0,  1]  and  each  trust  component  in  QoS  trust  and  social  trust  will  be  equally 
weighted.  For  the  proposed  MDTM,  we  will  vary  ft  to  reflect  the  priority  of  the  required  characteristics,  either  QoS 
trust  or  social  trust.  The  n-hop  trust  values  are  computed  from  the  (n-1)- hop  and  indirect  trust  values  via: 
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Equation  2  explains  how  each  n-hop  trust  component  (where  Z  is  energy,  cooperation,  honesty,  proximity,  or 
betweeness)  is  calculated  from  its  (n-lj-hop  "self-information"  with  weight  a  for  the  node's  own  information,  and 
weight  (1  —  a)  for  indirect  information,  say  "other-information,"  in  the  nth  hop.  can  be  obtained 

by  recursively  using  Equation  2.  j^~hoP  ■z-lndlrect  (f)  \s  calculated  as: 
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In  Equation  3,  K  is  the  set  of  the  ids  of  recommender  nodes  that  have  the  highest  trust  values  among  all  1-hop 
neighbors  on  the  trust  chain  where  |/<r|  =  krecom  .  Notice  that  in  calculating  the  trust  value  of  node  j  by  node  /  via 
node  k's  recommendation,  node  /’ s  trust  value  on  node  k  (with  a  denominator  that  sums  up  /’ s  trust  values  on  all 
recommenders)  is  used  as  a  weight. 

In  Equation  1,  />"  ~,lop  (t)  is  the  probability  that  nodes  /  and  j  are  within  n  hops  and  is  used  to  take  into  account  the 
amount  of  accumulated  interactions  between  nodes  /  and  j  within  n  hops. .  That  is,  node  /  considers  its  experiences 
with  node  j  when  they  are  within  n  hops  of  one  another.  The  intuition  is  that  longer  and  more  interactions  will 
increase  the  certainty  of  the  trust  relationship.  T)"  _,lop(t)  is  computed  by: 
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Here  S  is  a  set  covering  all  (/,  m)  pairs  with  the  distance  between  /  and  m  being  k-hops,  and  max  is  the  maximum 
length  of  the  trust  chain  of  a  node.  Notice  that  p^~h°v  (t)  is  the  probability  that  the  hop  distance  between  two 
nodes  is  less  than  or  equal  to  n  while  q-Jhop  (t)  is  the  probability  that  the  hop  distance  between  the  two  nodes  is 
exactly  k.  Pl°c=k(t )  refers  to  the  probability  that  node  /  is  located  in  area  k.  By  dividing  by  (Yk=\  q^Jh°v  it)),  we 
consider  the  relative  largeness  of  the  interactions  that  have  occurred. 

Observe  that  the  n-hop  trust  values  are  calculated  based  on  (n-1)- hop  trust  values.  Thus,  the  basis  of  all  trust 
values  with  the  trust  chain  length  n  >  1  is  the  1-hop  trust  value,  hereafter  called  the  1-hop  local  trust  value.  The  1- 
hop  local  trust  value  of  node  j  evaluated  by  node  /  for  a  particular  trust  component  Z,  Til~hnp’x  (t),  is  computed  by: 
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Equation  5  considers  the  subjective  characteristic  of  trust  by  evaluating  a  trustee  (node  j)  based  on  a  trustor  (node 
/)' s  own  standard.  The  trustor  gives  a  perfect  score  of  1  when  the  trustee's  trust  value  is  larger  than  its  own  trust 
value.  Otherwise,  node  /  scales  it  down  to  its  own  standard.  7}z(t)  ,  where  Z  is  energy,  cooperation,  or  honesty, 
can  be  obtained  from  our  SPN  model  shown  in  Section  4.2;  for  technical  details,  we  refer  the  reader  to  our  prior 
work  [6],  For  Z  =  betweenness  or  proximity,  Equations  7  and  8  below  show  how  to  compute  7Jz(t)  based  on 
location  information. 

Notice  that  in  Equation  3,  f^-hoP’z~indirect  (j)  js  calculated  based  on  the  (n-1)- hop  trust  values  such  as 
T^  ^~hop,Z(t')  and  T^lj~1^~hop,z  (t).  However,  for  7i1r/lop'z_mdirect  (t),  the  local  trust  value  with  n  =  1  does  not 
have  (n-1)- hop  trust  values,  and  thus  we  calculate  it  based  on  the  1-hop  trust  values  at  time  (t  —  A).  This  is  a 
reasonable  choice  to  reflect  past  experiences  for  trust  evaluation.  Thus,  ■z~indirect  js  gjven  by- 
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Except  for  using  the  past  experience  at  time  (t  —  A)  with  1-hop  trust  values,  other  notations  and  physical 
meanings  are  the  same  as  for  Equation  3. 

Based  on  Pj0C=k(t )  (the  probability  that  node  j  is  located  in  area  k)  obtained  as  above,  the  probability  that  two 
nodes  are  /c-hop  away  can  be  computed.  7 -p>oxim,ty  (t)  and  ^betweenness  ^  Can  then  be  computed  based  on 
location  information  as  follows: 
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where  A  is  a  set  of  possible  locations,  D^xet  's  the  maximum  distance  to  a  designated  target  area  (Ltarget )  among 
all  possible  locations  in  the  operational  area  and  D(i,Ltarget )  is  the  distance  from  area  /  to  a  designated  target 
area  (Ltarget )  given  that  node  j  is  located  in  area  /  based  on  Figure  1. 


betweenness 


(0  = 


YjUL  £ 


lieM 


YjkeL  ( 


loc=i 


C (t ) 


(Ar 


Dji,  fc))^ 


Dn 


\M\ 


(8) 


8 


where  M  is  a  set  of  all  nodes'  ids,  \M\  is  the  number  of  nodes  in  set  M,  Dmax  is  the  maximum  distance  among  the 
distances  between  node  j's  location  and  all  possible  locations  of  node  h  and£>(r,  k)  is  the  distance  from  node  j's 
location  to  node  h’s  location  given  that  node  j  is  located  in  area  /  and  node  h  is  located  in  area  k  based  on  Figure  1. 

3.3  Mission  Success  Probability 

We  define  the  mission  success  probability  as  a  reliability  metric  based  on  the  trust  level  required  for  successful 
mission  execution.  First  of  all,  we  calculate  the  reliability  R(t)  in  the  same  way  that  the  reliability  of  a  serial  system 
with  multiple  components  is  calculated  [22],  as  the  product  of  the  component  reliabilities.  Flere  each  component  is 
the  reliability  of  team  members  belonging  to  the  same  node  type.  Thus,  R(t)  is  computed  as: 

T— T  2  (9) 

F?(t)  =  |  n(t)  where  k  —  ceil(-*ri) 

17=1 

For  the  reliability  calculation  of  each  component,  RkNj°ut  ~°f  ~n  (t) ,  we  treat  it  as  a  k-out-of-n  system  [22],  meaning 
that  the  system  is  assumed  to  function  properly  if  at  least  k  subcomponents  out  of  n  subcomponents  are  operating 
properly.  In  Equation  9,  v  indicates  a  certain  node  type,  m  is  the  number  of  node  types,  k  is  the  minimum  number 
of  properly  functioning  nodes  in  node  type  v,  and  n  is  the  total  number  of  nodes  in  node  type  v.  Further,  in  order 
to  derive  k  reasonably,  we  use  the  concept  of  Byzantine  Failure  (BF)  [10]  meaning  that  if  more  than  1/3  of  the 
nodes  are  compromised,  the  system  fails.  Similarly,  we  define  system  failure  if  more  than  1/3  of  nodes  do  not 
meet  the  required  trust  thresholds:  the  mission  fails.  We  apply  this  system  failure  definition  in  calculating  the 
reliability  of  a  mission  team  with  the  same  node  type,  consisting  of  a  set  of  selected  mission  team  members. 
Summarizing  the  above,  RkNy°ut  ~°f  ~n (t)  is  calculated  by: 
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Flere  rNT  (£)  is  the  average  reliability  of  nodes  in  G,  G  is  a  set  of  selected  nodes  in  node  type  v  for  mission 
execution,  and  |G|  indicates  the  number  of  selected  nodes  in  node  type  v.  For  simplicity,  we  use  the  average 
reliability  of  nodes  in  the  same  node  type,  instead  of  using  different  node  reliabilities,  as  shown  in  Equation  11. 

In  Equation  12,  the  reliability  of  each  selected  node  belonging  to  node  type  v  for  mission  execution  (r^(t))  is 
calculated  similar  to  the  way  we  calculate  trust  values  in  Equation  1.  Specifically,  r^(t)  is  obtained  by: 
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Flere  p2  and  (1  —  /?2)  are  the  weight  parameters  for  QoS  trust  and  social  trust.  Note  that  ft  and  (1  —  ft)  in 
Equation  1  are  used  to  indicate  weights  for  QoS  trust  and  social  trust  in  calculating  trust  values  in  either  MDTM  or 
UFTM.  On  the  other  hand,  ft  ar|d  (1  —  ft)  are  the  weights  required  to  predict  the  mission  success  probability. 

The  reliability  of  each  trust  component  (i.e.,  r^z(t)  where  Z  indicates  a  trust  component)  is  calculated  via  the 
required  trust  thresholds,  and  the  average  trust  values  of  a  trustee  node  j  by: 
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We  use  two  different  trust  thresholds  called  D^j.2  1  and  DJNTZ  2 .  DJNTZ  1  is  the  required  trust  level  for  trust 
component  Z  in  node  type  v.  DJNTv  is  the  system  drop  dead  trust  level  for  trust  component  Z  in  node  type  v.  That 
is,  if  the  average  trust  value  of  node  j  is  equal  to  or  larger  than  the  required  trust  level  (D^z_1),  the 

reliability  of  node  j  (t))  is  1.  If  the  average  trust  value  of  node  j  (t))  is  less  than  the  system  drop  dead 
trust  level  (DJNfz~2),  the  reliability  of  node  j  (r^Tz (t))  is  0.  Otherwise,  T^fz{t)  will  be  scaled  down  based  on 
Z^"z_1,  as  shown  in  Equation  13.  Note  that  depending  on  a  node  type  of  a  node,  a  given  mission  may  require  a 
different  trust  threshold  for  both  Z)^z_1  and  DJNfz~2 .  Equation  13  uses  the  average  trust  value  of  node  j  (7^z(t)) 
calculated  by: 
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Here  M  is  a  set  of  all  nodes  in  the  network  (non-selected  nodes  plus  selected  nodes  for  mission  execution)  and 
|  A/7 1  indicates  the  total  number  of  elements  in  M.  Note  that  the  average  trust  value  of  node  j  in  node  type  v  is 
evaluated  by  all  nodes  in  the  network,  not  necessarily  only  by  selected  nodes  in  node  type  v  for  mission  execution. 

3.4  Energy  Model 

We  follow  the  energy  model  in  [6].  We  associate  the  energy  level  of  a  node  with  its  state:  selfish/unselfish  or 
compromised/uncompromised  or  whether  it  is  a  group  member/non-group  member.  Depending  on  the  remaining 
energy,  each  node  acts  differently.  The  degree  of  energy  consumption  is  also  affected  by  the  node's  state.  These 
parameters  are  interwoven  and  affect  a  node's  lifetime  significantly.  Each  node  must  handle  events  such  as 
beaconing,  group  communication,  rekeying,  and  status  exchange  for  trust  update.  In  particular,  after  a  status 
exchange  event,  trust  evaluation  of  1-hop  neighboring  nodes  as  well  as  distant  nodes  may  be  performed.  Each 
node  may  transmit  its  own  status  (e.g.,  information  providing  the  trust  values)  as  well  as  trust  values  of  other 
nodes  on  its  trust  chain.  Recall  that  we  use  recommendations  from  1-hop  neighbors  for  trust  evaluation  and  each 
status  message  is  disseminated  periodically.  Further,  we  also  distinguish  inactive  nodes  that  are  not  performing  a 
mission  from  active  nodes  that  are  participating  in  a  mission,  and  their  effects  are  also  taken  into  consideration  to 
calculate  energy  consumption. 

3.5  Attack  Model 

We  consider  the  presence  of  outside  and  inside  attackers  by  non-group  members  and  legitimate  group  members. 
We  assume  that  prevention  techniques  such  as  encryption,  authentication,  or  rekeying  inhibit  outsider  attacks. 
Our  trust  management  protocol  will  utilize  the  IDS  to  detect  inside  attackers  and  identify  compromised  nodes.  The 
IDS  system  will  categorize  nodes  performing  real  attacks  as  "blacklisted"  culprits  and  forward  them  to  the  GCS  for 
permanent  evictions  of  proven  attackers  through  individual  rekeying. 

4.  Performance  Model 

We  develop  SPN  models  to  analyze  the  performance  of  MDTM.  We  use  SPN  because  of  its  efficient 
representations  of  a  large  number  of  states  when  the  underlying  models  are  Markov  or  semi-Markov  models.  We 
develop  a  hierarchical  modeling  technique  based  on  SPN  to  avoid  state  explosion  problems  and  to  improve 
solution  efficiency  for  modeling  a  large-scale  GCS  operating  under  MDTM  or  UFTM. 

4.1  Hierarchical  Modeling  using  Stochastic  Petri  Nets 
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1st  iteration  at  time  t  =  0  2"d  iteration  between  [0,  At]  3rd  iteration  between  [At,  2Af]  n,h  iteration  between  [(n-1 )  At,  n  At] 


Trust  values  are  computed  using  the  trust  component  values  collected  per  iteration. 


Figure  2:  Hierarchical  Modeling  Processes  using  SPN  Subnets. 


We  use  a  SPN  subnet  model  to  describe  each  node's  lifetime;  the  SPN  subnets  do  not  communicate  with  each 
other  directly.  We  use  a  "continuous-time"  iterative  technique  to  capture  the  dynamics  during  an  evaluation 
period  (or  an  iteration).  At  the  end  of  the  evaluation  period,  each  subnet  yields  information  about  the  state  of  the 
node  (residual  energy,  selfishness,  location,  etc.).  Nodes  can  also  obtain  state  information  from  their  1-hop 
neighbors  at  the  end  of  the  evaluation  period.  These  pieces  of  information  are  inputs  to  the  SPN  subnet  at  the  next 
evaluation  period  (or  the  next  iteration). 

Initially  the  location  of  each  node  is  randomly  distributed  over  the  operational  area  based  on  the  uniform 
distribution.  As  explained  in  our  network  model  in  Figure  1,  a  node  moves  to  one  of  seven  locations  including  its 
own  location  with  a  higher  probability  of  moving  closer  to  a  designated  target  area  (i.e.,  to  the  two  closest  with 
probability  0.2  each,  the  next  two  closest  with  0.15,  the  next  two  closest  with  0.1  and  its  own  location  with  0.1).  In 
cases  that  a  node's  next  full  seven  directions  are  not  available,  then  equal  chances  are  given  to  the  available 
locations.  The  speed  of  each  node  is  initially  chosen  randomly,  depending  on  its  node  type,  and  is  then  fixed  during 
its  lifetime.  Table  1  in  Section  5  shows  the  default  parameter  values  used.  The  SPN  subnet  for  node  /  computes  the 
probability  that  node  /  is  in  a  particular  hexagon  area  j  at  time  t.  This  information  along  with  the  information  of 
other  nodes'  location  information  at  time  t  provides  the  information  about  a  node's  n-hop  neighbors  at  time  t, 
which  we  will  use  to  compute  the  trust  metric  (see  Section  3.2).  Since  movements  are  assumed  to  be  independent, 
the  probability  that  two  nodes  are  in  a  particular  location  at  time  t  is  given  by  the  product  of  the  two  individual 
probabilities.  This  process  is  done  by  running  the  SPN  subnet  N  times  for  the  N  nodes  in  the  network  based  on  the 
continuous-time  iterative  technique  described  above. 

In  the  first  iteration,  since  there  is  no  information  available  about  1-hop  neighbors,  it  is  assumed  that  each  area 
has  an  equal  number  of  nodes  and  all  nodes  are  unselfish.  In  the  second  iteration,  based  on  the  information 
collected  (e.g.,  location,  energy  level,  number  of  cooperative/selfish  and  compromised/healthy  1-hop  neighbors) 
from  the  first  iteration,  each  node  knows  how  many  nodes  are  1-hop  neighbors  that  can  directly  communicate 
with  it,  and  whether  or  not  they  are  members  of  the  GCS,  cooperative  or  selfish,  compromised  (dishonest)  or 
healthy  (honest).  A  node  also  knows  how  many  n-hop  neighbors  it  has  at  time  t. 

4.2  SPN  Models 

Figure  3  shows  the  SPN  subnet  model  for  describing  a  node's  mobility  behavior,  whether  the  node  is  a  member  or 
not,  and  a  node's  status  in  terms  of  its  energy  level,  membership,  degree  of  healthiness  or  honesty  (e.g.,  whether 
or  not  a  node  is  compromised  or/and  detected  by  IDS),  and  degree  of  unselfishness  or  cooperation.  The  SPN 
subnet  gives  the  probability  of  each  node  being  located  in  a  particular  area  at  a  particular  time  point. 
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tlocation  t.selfish  t_redemp 


Figure  3:  SPN  Subnet  Model. 

The  transition  T_LOCATION  is  triggered  when  a  node  moves  to  a  randomly  selected  area  out  of  seven  different 

NT  NT 

directions  including  its  current  location,  with  the  rate  calculated  as  Sini”/R  based  on  an  initial  speed  ( Sini t”)  and  a 
wireless  radio  range  (R).  Depending  on  the  randomly  selected  location,  the  number  of  tokens  in  place  location  is 
adjusted.  We  assume  that  inter-arrival  times  of  a  node's  join  and  leave  requests  are  exponentially  distributed  with 
rates  A  and  g  respectively. 

Place  energy  represents  the  current  energy  level  of  a  node.  An  initial  energy  level  is  assigned  according  to  node 
heterogeneity  information  depending  on  the  node  type.  In  our  analytical  model,  we  randomly  generate  a  number 
between  certain  ranges  (See  Table  1  in  Section  5  for  details)  based  on  the  uniform  distribution.  A  token  is  taken 
out  when  transition  T_ENERGY  fires.  The  transition  rate  of  T_ENERGY  is  adjusted  on  the  fly  based  on  a  node's  state; 
it  is  lower  when  a  node  becomes  selfish  to  save  energy  or  when  a  node  changes  from  member  to  non-member;  it 
is  higher  when  the  node  becomes  compromised  so  that  it  performs  attacks  and  consumes  more  energy.  We 
assume  that  T  seconds  will  be  taken  to  consume  one  energy  token  when  a  member  node  has  no  selfish  or 
compromised  1-hop  neighbors.  We  follow  the  energy  model  in  [6]  for  adjusting  the  time  taken  to  consume  one 
token  in  place  energy  based  on  a  node's  status. 

Place  UCN  indicates  an  undetected  compromised  node.  Place  DCN  represents  a  detected  compromised  node.  A 
node  is  compromised  when  transition  T_COMPRO  with  rate  Acom  fires  where  Acom  is  the  base  compromising  rate 
initially  given  indicates  the  level  of  current  energy.  In  practice,  Acom  can  be  derived  via  first-order  approximation 
from  the  observations  of  historical  attack  behaviors.  The  behavior  of  a  node  being  compromised  is  associated  with 
the  energy  level  of  the  node.  If  the  node  has  low  energy,  it  is  more  likely  to  become  compromised,  and  vice-versa. 
This  is  modeled  by  the  enabling  function  of  T_COMPRO,  which  returns  1  to  enable  T_COMPRO  or  returns  0  to 
disable  T_COMPRO,  as  follows: 


enabling_T_COMPRO:  (15) 

if(mark(energy )  >  0  &&mark(UCN )  ==  0  &&.mark(DCN )  ==  0  &&  mark  {member')  >  0) 

{if(Nrand  <  Pdishonest)  return  1;  else  return  0; } 
where  Nrand  =  rand[0, 1]  *  ( mark(energy )  +  l)/Ccom 

Here  rand  [0, 1]  returns  a  random  variable,  mark(energy )  indicates  the  remaining  energy,  and  Ccom  is  a  constant. 
P dishonest  models  the  inherent  behavioral  nature  of  a  node's  honesty  (or  dishonesty)  and  is  a  randomly  selected 
number  based  on  the  truncated  exponential  distribution  with  mean  0.5  in  the  range  of  [0,  1],  Equation  15  implies 
that  a  node  behaves  dishonestly  based  on  the  random  seed  of  the  bad  behavior  but  the  bad  behaviors  can  be 
relaxed  or  further  enhanced  based  on  the  current  remaining  energy  level  of  the  node.  If  the  node  is  compromised, 
a  token  goes  to  UCN,  being  compromised  but  not  detected  by  IDS.  While  the  node  is  not  detected  by  IDS,  it  has  a 
chance  to  perform  attacks.  But  right  after  being  detected  by  IDS,  a  token  is  taken  out  from  UCN  into  DCN  and  the 
node  is  evicted  immediately  through  individual  rekeying  operations.  We  consider  false  alarm  probabilities  of  IDS. 
False  negative  probability  (P^5)  of  IDS  is  applied  in  TJDS  with  the  rate  (l  —  PfnS)/Tms  where  Tms  is  an  interval 
triggering  IDS  periodically  and  false  positive  probability  ( P^s )  of  IDS  is  considered  in  TJDSFA  with  the  rate 

pIDS  /rr 
rfp  /  1  IDS- 
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Place  SN  represents  whether  a  node  is  selfish  or  not.  If  a  node  becomes  selfish,  a  token  goes  to  SN  by  triggering 
T_SELFISH.  Transition  T_SELFISH  fires  based  on  the  condition  of  the  energy  level  of  a  node.  Our  assumption  is  that 
if  the  node  has  low  energy,  it  is  more  likely  to  become  selfish,  and  vice  versa.  The  enabling  functions  for  T_SELFISH 
and  T_REDEMP  are  given  in  Equations  16  and  17  respectively  by: 

enabling_T_SELFISH:  if  (mark  {energy )  >  0  &&  mark(member )  >  0  8i&.mark(SN )  ==  0)  (16) 

{  if{Nrand  <  P seif  is  h  )  return  1;  else  return  0; } 
where  Nrand  =  rand[ 0, 1]  *  ( mark(energy )  +  1  )/Cselfish 

enabling_T_REDEMP:  if  (mark(ener gy)  >  0  &&  mark(member )  >  0  8i&.mark(SN )  >  0)  (17) 

{  if(Nrand  <  Pseifish )  return  0;  else  return  1; } 
where  Nrand  =  rand[ 0, 1]  *  ( mark(energy )  +  1)/Cselfish 

Pseifish  models  the  inherent  behavioral  nature  of  a  node's  selfishness  and  is  a  randomly  selected  number  based  on 
the  truncated  exponential  distribution  with  mean  0.5  in  the  range  of  [0,  1].  Other  parameters  are  similar  to  those 
used  in  Equation  15.  We  define  Tgc  as  the  time  interval  to  disseminate  a  group  communication  packet,  assumed  to 
be  exponentially  distributed  in  this  work.  Each  node's  selfishness  is  checked  whenever  a  group  communication 
packet  is  transmitted,  so  that  the  transition  rate  of  T  SELFISH  is  1/Tgc.  The  transition  T  SELFISH  is  triggered  when 
a  node  is  a  member,  alive  with  remaining  energy  ( mark(energy )  >  0),  and  currently  not  selfish.  When  the 
randomly  selected  number  reflecting  the  degree  of  the  node's  current  energy  level  (Nrand )  is  less  than  the 
probability  of  selfish  nature  ( Pseifish ),  T_SELFISH  fires,  and  vice  versa.  We  also  similarly  model  the  redemption 
mechanism  for  selfish  nodes  by  using  the  transition  T_REDEMP  with  the  rate  of  .  A  node  can  have  a 

chance  to  be  redeemed  at  the  end  of  a  reevaluation  period,  corresponding  to  a  trust  update  interval  (Tt^s“te  ). 
During  the  reevaluation  period,  if  the  node  behaves  well,  redemption  is  awarded,  and  vice  versa.  If  a  node  has 
sufficiently  low  energy,  it  may  choose  to  remain  selfish  to  save  its  energy  in  a  similar  way  as  in  transition  T  SELFISH . 
No  redemption  service  is  provided  for  compromised  nodes,  whether  they  are  detected  or  not. 

5.  Numerical  Results  and  Analysis 

In  this  section,  we  show  numerical  results  obtained  by  evaluating  our  hierarchical  SPN  model.  Table  1  gives  the 
default  parameter  values  used  in  this  case  study. 


Table  1:  Default  parameter  values  used. 


Parameter  Value 

Parameter  Value 

Parameter  Value 

Parameter  Value 

N  160 

j/  O 

,vrecom 

R  250  m 

X  1/(60*60) 

g  1/(60*60*4) 

SZt  (3,  5]  m/s 

sZu  (5, 10]  m/s 

SZ3  (10,  15]  m/s 

SZ?  (15,  30]  m/s 

Xcom  1/(60*60*2) 

EZt  (12/  24]  min. 

EZt2  (24,  36]  min. 

EZt  (36,  481  min- 

EZt  <48'  60]  min. 

PfZ  =  pfZ  0.5% 

a  0.8 

Tgc  60*2  s 

Tids  60*10  s 

Tupdate  60*2  S 

trust 

TC  3 

The  total  number  of  nodes  in  the  network  N  is  set  to  160,  with  40  nodes  for  each  of  the  4  node  types.  Speed  and 
initial  energy  level  of  nodes  are  selected  from  a  uniform  distribution,  thus  reflecting  the  heterogeneous 
characteristic  of  military  environments.  The  IDS  false  positive  and  false  negative  probabilities  were  set  to  0.005, 
assuming  that  a  high  quality  distributed  IDS  is  deployed  in  the  network.  A  trust  update  interval  of  10  min.  is  used  to 
monitor  network  dynamics  and  update  trust  values  of  nodes  in  the  network.  The  length  of  the  trust  chain  (TC)  is 
set  to  3  because  it  has  been  shown  that  TC=3  provides  the  maximum  trust  values  [6].  Flere,  we  focus  on 
comparative  analysis  of  MDTM  and  UFTM. 

The  key  parameters  are  the  weights  for  QoS  trust  (ft)  and  social  trust  (1  —  ft)  that  can  be  adjusted  for  MDTM  and 
UFTM.  UFTM  uses  identical  weights  (QoS  trust:  social  trust  =  0.5:  0.5)  to  consider  both  QoS  trust  and  social  trust 
properties  with  equal  importance  regardless  of  the  characteristics  of  the  mission.  On  the  other  hand,  MDTM  uses  a 
different  set  of  the  ratio  of  QoS  trust  and  social  trust  in  order  to  best  identify  well  qualified  nodes  based  on  the 
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characteristics  of  a  given  mission.  We  experiment  with  two  mission  scenarios  where  one  scenario  (called  the  QoST 
mission)  requires  high  QoS  trust  levels  (QoS  trust:  social  trust  =  0.8:  0.2  with  ft  =  0.8)  while  the  other  scenario 
(called  the  ST  mission)  requires  high  social  trust  levels  (QoS  trust:  social  trust  =  0.2:  0.8  with  ft  =  0.2). 


Table  2:  Trust  threshold  values  used  for  trust-based  reliability  calculation. 


rtj  —  QoST  —1 
UNTV 

QoST  mission 

rv/  —QoST  —2  rW  —ST— 1 

UNTV  UNTV 

ni-ST-2 

UNTV 

r\j  —  QoST  —  1 
UNTV 

ST  mission 

rW  QoST  2  T)J  —ST—1 

UNTV  UNTV 

ni-ST-2 

UNTV 

NTt 

0.6 

0.5 

0.5 

0 

0.5 

0 

0.6 

0.5 

nt2 

0.65 

0.5 

0.5 

0 

0.5 

0 

0.65 

0.5 

nt3 

0.7 

0.5 

0.5 

0 

0.5 

0 

0.7 

0.5 

nt4 

0.75 

0.5 

0.5 

0 

0.5 

0 

0.75 

0.5 

Table  2  summarizes  the  trust  threshold  values  used  in  Equation  9  to  calculate  the  mission  success  probability  R(t). 


Figure  4:  Trust-based  Mission  Success  Probability 
under  QoST  mission. 


Figure  5:  Trust-based  Mission  Success  Probability 
under  ST  mission. 


We  perform  a  comparative  analysis  in  terms  of  R(t)  obtained  under  MDTM  versus  UFTM,  noted  as  R-MD  and  R-UF 
shortly  in  Figures  4  and  5.  Figure  4  shows  R(t)  over  time  for  the  QoST  mission.  We  compare  MDTM  with  ft  =  0.8 
against  UFTM  with  ft  =  0.5,  given  a  QoST  mission  with  ft  =  0.8.  Figure  4  shows  that  as  time  progresses,  MDTM 
performs  better  overall  except  when  time  t  is  sufficiently  small  (i.e.,  t  <  30  min.)  or  sufficiently  large  (i.e.,  t  >  130 
min.).  The  reason  is  that  for  the  QoST  mission  in  Figure  4,  MDTM  will  select  more  QoS  qualified  nodes  that  are 
usually  less  selfish  and  consume  more  energy  by  cooperating  more  than  those  selected  by  UFTM.  As  time 
progresses,  the  energy,  particularly  for  nodes  of  node  type  1  (type  1  nodes  have  the  least  energy),  will  be  drained 
and  they  become  selfish  to  save  energy.  On  the  other  hand,  UFTM  will  select  nodes  with  the  same  weights  for  both 
QoS  trust  and  social  trust  and  accordingly  nodes  still  having  high  energy  may  not  be  selected  compared  to  those 
selected  by  MDTM.  Thus,  in  UFTM,  energy  will  not  be  drained  as  much  as  in  MDTM  and  nodes  with  relatively  more 
energy  will  remain  alive  compared  to  MDTM  even  as  time  progresses.  Consequently,  UFTM  could  perform  better 
than  MDTM  at  large  t  because  it  has  more  nodes  left  with  high  energy. 

Figure  5  shows  R(t)  over  time  for  the  ST  mission.  We  compare  MDTM  with  ft  =  0.2  against  UFTM  with  ft  =  0.5, 
given  a  ST  mission  with  ft  =  0.2.  Except  for  the  point  at  time  t  =  10  min.  where  UFTM  and  MDTM  select  the  same 
set  of  nodes  for  mission  execution  due  to  the  assumption  that  at  time  t  =  0  all  nodes  are  ignorant,  MDTM  clearly 
outperforms  UFTM.  This  is  because  the  trust  values  of  social  trust  components  (i.e.,  honesty,  proximity,  and 
betweenness)  are  mainly  affected  by  randomly  selected  location  information  as  well  as  a  random  seed  selected  as 
the  nature  of  the  dishonest  behavior  of  a  node.  Even  if  we  associate  a  node's  dishonest  behaviors  with  the 
remaining  energy  level  of  a  node,  the  values  of  the  social  trust  components  are  relatively  less  affected  by  energy 
consumption  over  time,  although  we  also  observe  that  the  trust  values  in  both  MDTM  and  UFTM  decrease  as  time 
progresses  due  to  energy  exhaustion. 
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To  understand  how  MDTM  or  UFTM  affects  R(t),  we  study  how  each  scheme  (MDTM  or  UFTM)  dynamically  selects 
a  set  of  qualified  nodes  during  each  trust  evaluation  period.  To  effectively  show  the  membership  dynamics  we 
used  the  Mean  Percentage  Difference  (MPD)  to  explain  the  membership  difference  between  MDTM  and  UFTM, 
with  a  larger  MPD  indicating  a  higher  dynamic  membership  change  of  MDTM  over  UFTM.  The  MPD  is  computed  by: 


MPD 


\MD—UF\ 

members  hip  —NTV 


V  I  ]\/r iR—MD  _  jujiR-UF 

v«  LkEG\Mk,NTv  Mk,NTv 

|G| 

\S\ 


(18) 


where  or  M"  represents  the  membership  status  of  node  k  in  node  type  v  in  each  scheme,  with  1  for  a 

selected  member,  0  otherwise.  |S|  is  the  number  of  iteration  rounds  (or  the  number  of  trust  evaluation  periods), 
|G|  is  the  number  of  nodes  in  each  node  type  v,  and  k  is  the  node  ID  in  node  type  v  at  the  ith  evaluation  period. 


■  QoST  mission  with  (QoS  trust:  Social  trust  =  0.8:  0.2) 
0  35  ■  ST  mission  with  (QoS  trust:  Social  trust  =  0.2:  0.8) 


MPD-NT1  MPD-NT2  MPD-NT3  MPD-NT4 
Membership  MPD  of  Each  Node  Type 


Figure  6:  MPD  based  on  the  membership  dynamics  of  MDTM  and  UFTM  in  each  node  type  under  QoST  mission 

and  ST  mission. 

From  Figure  6,  we  notice  that  the  MPD  is  larger  for  the  QoST  mission  except  for  the  least-capable  nodes  (type  1), 
whereas  the  MPD  is  larger  for  less  capable  node  types  with  the  ST-type  mission.  Further,  the  QoST  mission  shows 
more  dynamic  membership  changes  between  trust  evaluation  periods  while  the  ST  mission  shows  more  stable 
memberships  in  both  schemes.  Note  that  a  high  MPD  indicates  a  high  membership  difference  between  MDTM 
and  UFTM. 

6.  Conclusion  and  Future  Work 

We  proposed  a  composite  trust  metric  comprising  QoS  trust  derived  from  communication  networks  and  social 
trust  derived  from  social  and  cognitive  networks.  We  then  proposed  a  mission-dependent  trust  management 
protocol  suitable  for  military  battlefield  tactical  MANETs  based  on  the  context-dependent  characteristics  of  our 
composite  trust  metric.  We  considered  dynamic  membership  change  upon  every  trust  update  for  selecting  a 
mission  team  that  consists  of  highly  qualified  nodes  to  maximize  the  mission  success  probability  based  on  the  trust 
values  of  nodes  selected  for  mission  execution.  We  developed  SPN  models  for  performance  evaluation  of  our  trust 
models  and  protocols.  In  particular,  we  developed  a  continuous-time  hierarchical  modeling  technique  that  takes 
into  account  network  dynamics  between  trust  evaluation  periods.  Our  results  showed  that  the  proposed  mission- 
dependent  trust  management  protocol  outperforms  a  unified  trust  management  protocol  overall  in  terms  of  the 
mission  success  probability. 

Our  future  research  will  extend  this  work  by:  (1)  identifying  the  optimal  weights  for  our  proposed  mission 
dependent  trust  management  protocol,  taking  into  account  operation  and  mission  requirements;  (2)  implementing 
multiple  concurrent  missions  with  multiple  mission  teams  and  analyzing  their  effects  on  the  mission  success 
probability,  membership  change,  and  trust  values  of  mission-participating  nodes;  (3)  considering  other  types  of 
trust  properties  such  as  situational  awareness  or  leadership  or  group  solidarity  derived  from  social  and  cognitive 
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networks;  (4)  identifying  an  optimal  trust  interval  balanced  with  "jitter  and  flap,"  since  rapid  and  continuous 
changes  in  team  composition  may  hinder  mission  success;  and  (5)  validating  and  verifying  the  proposed  trust 
models  and  trust  propagation  protocols  through  extensive  simulation  and,  where  feasible,  experiments  in  practical 
environments. 
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